The present invention relates to intrusion detection in networks, and more particularly to categorizing IDPS (Intrusion Detection and Prevention System) signatures.
This section is intended to provide a background or context to the invention disclosed below. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived, implemented or described. Therefore, unless otherwise explicitly indicated herein, what is described in this section is not prior art to the description in this application and is not admitted to be prior art by inclusion in this section.
Intrusion detection is the process of monitoring the events occurring in a network (and/or or computer systems) and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion Detection and Prevention Systems (IDPS systems) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. It is noted that although the acronym “IDPS” contains “system” as the last part of the acronym, the term “IDPS system” is also used herein, for ease of reference. In addition, organizations use IDPS systems for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. In fact, IDPS systems have become a necessary addition to the security infrastructure of nearly every organization. See MST (National Institute of Standards and Technology), Guide to Intrusion Detection and Prevention Systems (IDPS), Special Publication 800-94, 2007, for this and additional information about IDPS systems.
For many IDPS systems, signatures are used. Signatures are patterns that indicate known threats. Signature-based detection includes comparing signatures against observed events to identify possible incidents.
Because IDPS systems are sold and implemented by different vendors, and because each vendor has different IDPS signatures, if an organization uses IDPS systems from multiple vendors, these differences between signatures can be difficult to reconcile. It is believed that the lack of standard categorization of IDPS signatures is a potent barrier for aggregating information from multiple IDPS systems, e.g., developed by different vendors. It is possible to manually categorize IDPS signatures. Manually categorizing thousands of signatures, however, can be tedious and error-prone.